Nmap Development mailing list archives
Re: [NSE script] Data Access Messaging Protocol used by Ingres Data Access server (iigcd)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 24 Jul 2014 23:34:42 -0500
Quentin, Thanks for your patience. I am looking into this now, having installed Ingres and downloaded the source to see if I can help refine the results. Here are some observations so far: 1. It's best to use ASCII values when you can (e.g. "JCTL" instead of "\x4a\x43\x54\x4c") in both the probe and match lines. This makes things clearer. 2. We shouldn't capture (enclose in parentheses) anything in the match line that we don't intend to keep for display. For your match, this pretty much means dropping the parentheses, though you'll still need one non-capturing group (?:example|alternation). 3. This seems to work for the II7 listener (port 21071), but fails for the II listener (port 21064). Here are the relevant log lines: localhost ::[60441 IIGCC, 17111 , 0000000000000002]: Thu Jul 24 19:45:06 2014 E_GC2812_TL_INVALID_CONNCTN TL internal error: Received unknown connection id 0000544C from partner. localhost ::[60441 IIGCC, 17111 , 0000000000000002]: Thu Jul 24 19:45:06 2014 E_GC2806_TL_FSM_INP TL internal error: Invalid input event in TL FSM Note that the connection id ends in 544C, which is the "TL" portion of "JCTL" 4. I'm looking into whether it's better to send a JCTL or DMTL header, since it depends on how the service is configured, and some may be rejected. If this ends up needing multiple probes in order to check each of the transport layers and message layer types, then maybe we should move it back into an NSE script, leaving the most-likely one as a service-probe. That's all I have for now, but I will continue to look at this. Please feel free to correct any strange ideas I have, since I've only just started looking at this service. Dan On Wed, Jul 9, 2014 at 10:16 AM, qhardyfr () gmail com <qhardyfr () gmail com> wrote:
Hello everyone, I think the following service probe for Ingres is good. Is the Ingres service probe in the current nmap version? If no, when this service probe will be pushed in the current nmap version? Thank you in advance, -- Quentin HARDY ---------- Forwarded message ---------- From: qhardyfr () gmail com <qhardyfr () gmail com> Date: 2014-06-16 11:03 GMT+02:00 Subject: Fwd: [NSE script] Data Access Messaging Protocol used by Ingres Data Access server (iigcd) To: Daniel Miller <bonsaiviking () gmail com> Hello Daniel, What do you think of the Ingres service-probes ? Is this script OK? Thank you in advance, -- Quentin HARDY ---------- Forwarded message ---------- From: qhardyfr () gmail com <qhardyfr () gmail com> Date: 2014-06-08 23:02 GMT+02:00 Subject: Re: [NSE script] Data Access Messaging Protocol used by Ingres Data Access server (iigcd) To: Daniel Miller <bonsaiviking () gmail com> Hello Daniel, I have written the nmap-services line and the nmap-service-probes script: [+] In the nmap-services file, replace """unknown 21071/udp 0.000654""" by """ingres-dam 21071/tcp 0.000654 #Data Access Messaging Protocol used by Ingres Data Access Server (iigcd)""" [+] In the nmap-service-probes file, add this source code in order to detect the DAM protocol: """ ##############################NEXT PROBE############################## #Detect the Data Access Messaging Protocol (DAM) used by Ingres Data Access Server (iigcd) #"2300" --length of the following array +2 #"4a43544c" --Transport packet ID #"4352" --Connection Request (ascii ‘CR’) #"010102" --DAM-TL Protocol Level (lvl 2) #"02010f" --Packet Size #"0604444d4d4c" --Message Layer Protocol ID ('DMML') #"030d" --Length of the following Session mask #"010107" -- DAM-ML protocol level (lvl 7) #"0308daafb0479210e2e5" --Session mask Probe TCP dam-connection q|\x23\x00\x4a\x43\x54\x4c\x43\x52\x01\x01\x02\x02\x01\x0f\x06\x04\x44\x4d\x4d\x4c\x03\x0d\x01\x01\x07\x03\x08\xda\xaf\xb0\x47\x92\x10\xe2\xe5| ports 21071, 21064 # (..) --packet length # "4a43544c4343" and "444d544c4343" --Only 2 possibility for the Transport Packet ID # "0604444d4d4c" --Currently, only a single message layer protocol is defined (444d4d4c) match dam-connection m/^(..)(\x4a\x43\x54\x4c\x43\x43|\x44\x4d\x54\x4c\x43\x43)(.*)\x06\x04\x44\x4d\x4d\x4c/s p/ingres-dam/ """ What do you think about that ? I will write a new Ingres nse script soon as possible in order to get the string connection (ex: II7) from the port. There is no more information to pickup from the connection because we need to be connected in order to get the Ingres version. Thank you for you help, -- Quentin HARDY
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Fwd: [NSE script] Data Access Messaging Protocol used by Ingres Data Access server (iigcd) qhardyfr () gmail com (Jul 10)
- Re: [NSE script] Data Access Messaging Protocol used by Ingres Data Access server (iigcd) Daniel Miller (Jul 24)